Is anyone still seeing this or have they fixed it? -J
Sent via iPhone > On Mar 17, 2016, at 02:44, Mark Allan <markjal...@gmail.com> wrote: > > Just to confirm, I'm also seeing everything being flagged as > Win.Trojan.Trojan-476 with the new main/daily.cvd files. > > Mark > >> On 17 Mar 2016, at 6:49 am, Al Varnell <alvarn...@mac.com> wrote: >> >> I just ran a scan against the ClamAV test files contained in the 0.99.1 >> source file and I’m getting all Win.Trojan.Trojan-476: >> >> File Name Infection Name Status >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64 >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-le.cpio >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.newc.cpio >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_int.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_ext.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_int.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_ext.exe >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.7z >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_cache_emax.tgz >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.iso >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clamjol.iso >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v2.rar >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v3.rar >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.bz2 >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bz2.zip >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_int.exeaa >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam.isoaa >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_ext.exeaa >> Win.Trojan.Trojan-476 >> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clamjol.isoaa >> Win.Trojan.Trojan-476 >> >> -Al- >> >>> On Wed, Mar 16, 2016 at 10:46 PM, Jason Williams wrote: >>> >>> Hey Al, >>> >>> I submitted a FP report with one attached. Just put the EICAR string into a >>> txt file and that'll trigger it. >>> >>> -J >>> >>> Sent via iPhone >>> >>>> On Mar 16, 2016, at 22:16, Al Varnell <alvarn...@mac.com> wrote: >>>> >>>> I don’t know why sanesecurity-porcupine.ndb is causing this, but I can now >>>> see that the signatures for Win.Test.EICAR_LDB-1 and Win.Trojan.Trojan-605 >>>> are identical, so this is an FP situation which would be reported. >>>> <http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Test.EICAR_LDB-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display> >>>> >>>> However, I’m not sure where to find a copy of a Win.Test.EICAR_LDB-1 file >>>> to submit. >>>> >>>> -Al- >>>> >>>> >>>>> On Wed, Mar 16, 2016 at 09:44 PM, Jason J. W. Williams wrote: >>>>> >>>>> Culprit seems to be sanesecurity-porcupine.ndb ( >>>>> http://sanesecurity.com/usage/signatures/). Moving it out causes >>>>> Win.Test.EICAR_NDB-1 >>>>> FOUND to be found, moving it back in triggers the Win.Trojan.Trojan-605 >>>>> FP. >>>>> Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why that is. >>>>> >>>>> -J >>>>> >>>>>> On Wed, Mar 16, 2016 at 9:38 PM, Al Varnell <alvarn...@mac.com> wrote: >>>>>> >>>>>> Disregard, I found it here after they got the new main.cvd: >>>>>> < >>>>>> http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display >>>>>> >>>>>> I’ll see what I get once my main.cvd finishes. >>>>>> >>>>>> -Al- >>>>>> >>>>>>> On Wed, Mar 16, 2016 at 09:32 PM, Al Varnell wrote: >>>>>>> >>>>>>> I’m still looking, but so far I can’t find any Win.Trojan.Trojan >>>>>> signatures in the ClamAV Official database or listed in clamav-virusdb >>>>>> e-mail list. >>>>>>> >>>>>>> Nor can I confirm your results using my own EICAR. >>>>>>> >>>>>>> Are you using any Unofficial signatures from a different source? >>>>>>> >>>>>>> -Al- >>>>>>> >>>>>>>> On Wed, Mar 16, 2016 at 09:06 PM, Jason J. W. Williams wrote: >>>>>>>> >>>>>>>> Pulled down 21466 (and force restarted clamd) but it's still >>>>>>>> classifying >>>>>>>> EICAR as Win.Trojan.Trojan: >>>>>>>> >>>>>>>> https://gist.github.com/williamsjj/b8104402e80f44475df5 >>>>>>>> >>>>>>>> Databases are up to date now: >>>>>>>> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, >>>>>> builder: >>>>>>>> amishhammer) >>>>>>>> Empty script daily-21465.cdiff, need to download entire database >>>>>>>> Downloading daily.cvd [100%] >>>>>>>> daily.cvd updated (version: 21466, sigs: 83889, f-level: 63, builder: >>>>>>>> amishhammer) >>>>>>>> Empty script bytecode-275.cdiff, need to download entire database >>>>>>>> Downloading bytecode.cvd [100%] >>>>>>>> bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, builder: >>>>>>>> amishhammer) >>>>>>>> Database updated (4302724 signatures) from db.local.clamav.net (IP: >>>>>>>> 193.1.193.64) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Wed, Mar 16, 2016 at 9:00 PM, Al Varnell <alvarn...@mac.com> wrote: >>>>>>>>> >>>>>>>>> Those are normal messages for an update of this kind. The 21465.cdiff >>>>>> was >>>>>>>>> purposely blank in order to force you to download the entire >>>>>>>>> daily.cvd. >>>>>>>>> Give it plenty of time as the main.cvd is 109MB. >>>>>>>>> >>>>>>>>> Technical details: < >>>>>> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html >>>>>>>>> >>>>>>>>> -Al- >>>>>>>>> >>>>>>>>>> On Wed, Mar 16, 2016 at 08:56 PM, Jason J. W. Williams wrote: >>>>>>>>>> >>>>>>>>>> Thanks. Hopefully it'll sync up soon. I'm getting weird download >>>>>> errors >>>>>>>>> out >>>>>>>>>> of freshclam: >>>>>>>>>> >>>>>>>>>> WARNING: getfile: Error while reading database from >>>>>> db.local.clamav.net >>>>>>>>>> (IP: 200.236.31.1): Operation now in progress >>>>>>>>>> WARNING: getpatch: Can't download daily-21465.cdiff from >>>>>>>>> db.local.clamav.net >>>>>>>>>> nonblock_recv: recv timing out (30 secs) >>>>>>>>>> WARNING: getfile: Error while reading database from >>>>>> db.local.clamav.net >>>>>>>>>> (IP: 194.186.47.19): Operation now in progress >>>>>>>>>> WARNING: getpatch: Can't download daily-21465.cdiff from >>>>>>>>> db.local.clamav.net >>>>>>>>>> Empty script daily-21465.cdiff, need to download entire database >>>>>>>>>> >>>>>>>>>> On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarn...@mac.com> >>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> The new database was just made available, so I recommend you hold >>>>>>>>>>> off >>>>>>>>>>> until you have the new mail.cvd v57 and daily.cvd v21466 before >>>>>> getting >>>>>>>>> too >>>>>>>>>>> excited about this. >>>>>>>>>>> >>>>>>>>>>> -Al- >>>>>>>>>>> >>>>>>>>>>>> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote: >>>>>>>>>>>> >>>>>>>>>>>> As of the latest daily update, running ClamAV against the EICAR >>>>>>>>>>>> test >>>>>>>>>>> string >>>>>>>>>>>> reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature. >>>>>>>>>>>> >>>>>>>>>>>> -J >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Help us build a comprehensive ClamAV guide: >>>>>> https://github.com/vrtadmin/clamav-faq >>>>>> >>>>>> http://www.clamav.net/contact.html#ml >>>>> _______________________________________________ >>>>> Help us build a comprehensive ClamAV guide: >>>>> https://github.com/vrtadmin/clamav-faq >>>>> >>>>> http://www.clamav.net/contact.html#ml >>>> >>>> -Al- >>>> -- >>>> Al Varnell >>>> Mountain View, CA >>> _______________________________________________ >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >> >> -Al- >> -- >> Al Varnell >> Mountain View, CA >> >> >> >> >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
